config: bind caps

Makefile

@@ -139,7 +139,7 @@ indent:
 nsjail.o: nsjail.h common.h caps.h cmdline.h log.h net.h subproc.h util.h
 caps.o: caps.h common.h log.h
 cmdline.o: cmdline.h common.h caps.h config.h log.h mount.h util.h user.h
-config.o: common.h config.h log.h mount.h user.h util.h
+config.o: common.h caps.h config.h log.h mount.h user.h util.h
 contain.o: contain.h common.h caps.h cgroup.h cpu.h log.h mount.h net.h pid.h
 contain.o: user.h util.h uts.h
 log.o: log.h common.h

config.c

@@ -25,6 +25,7 @@
 #include <sys/mount.h>
 #include <sys/personality.h>
 
+#include "caps.h"
 #include "config.h"
 #include "log.h"
 #include "mount.h"
@@ -113,6 +114,15 @@ static bool configParseInternal(struct nsjconf_t *nsjconf, Nsjail__NsJailConfig
 	}
 
 	nsjconf->keep_caps = njc->keep_caps;
+	for (size_t i = 0; i < njc->n_cap; i++) {
+		struct ints_t *f = utilMalloc(sizeof(struct ints_t));
+		f->val = capsNameToVal(njc->cap[i]);
+		if (f->val == -1) {
+			return false;
+		}
+		TAILQ_INSERT_HEAD(&nsjconf->caps, f, pointers);
+	}
+
 	nsjconf->is_silent = njc->silent;
 	nsjconf->skip_setsid = njc->skip_setsid;
 

config.proto

@@ -110,6 +110,9 @@ message NsJailConfig
 
     /* Should capabilities be preserved or dropped */
     required bool keep_caps = 21 [ default = false ];
+    /* Which capabilities should be preserved if keep_caps == false.
+       Format: "CAP_SYS_PTRACE" */
+	repeated string cap = 63;
     /* Should nsjail close FD=0,1,2 before executing the process */
     required bool silent = 22 [ default = false ];
     /* Should the child process have control over terminal?

configs/bash-with-fake-geteuid.cfg

@@ -29,6 +29,8 @@ envar: "HOME=/"
 envar: "PS1=[\\H:\\t:\\s-\\V:\\w]\\$ "
 
 keep_caps: true
+cap: "CAP_NET_ADMIN"
+cap: "CAP_NET_RAW"
 silent: false
 skip_setsid: true
 pass_fd: 100